Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest / Non-Guest Network with Separate DHCP and Firewall Rules?

    Scheduled Pinned Locked Moved DHCP and DNS
    8 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fvultee
      last edited by

      Strange question here. I have a Router that has both normal and guest network. I have the pfSense configured to hand out IPs via DHCP to authorized MACs. Is there a way to have another subnet for the Guest Wifi that are issued IPs via DHCP that are NOT in the authorized MAC list be given an IP and use their own firewall rules (IE no contact with the MAC authorized devices). I know I can do this with a more powerful system since I've seen it done, but I just have a normal soho mesh wifi system running in AP mode and let the pfSense run the DHCP service.

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        The usual way to have guest WiFi is to use a 2nd SSID and VLAN. Then set up the appropriate rules for the guest network. However, with the DHCP server, you can map authorized devices to specific addresses, which don't overlap the DHCP addresses for other devices. You can try filtering on the separate ranges. For example, have the mapped devices in the lower half of the subnet address range and the other devices in the upper half.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • F
          fvultee
          last edited by

          I did exactly that, the issue is that if I only allow certain MACs on my primary LAN and want to assign the Guests to the VLAN I have configured, I don't know their MACs in advance, so I'm not sure how to associate them with the VLAN automatically and have them use the VLAN rules instead.

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott
            last edited by

            You didn't initially say you had a VLAN. However, why do you have to worry about the MACs? Just given them the SSID & password for the guest Wifi. That way they'll be on the guest VLAN and pfSense should keep them off the local LAN. No need to worry about the MAC as those users are already segregated.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • F
              fvultee
              last edited by fvultee

              I’m clearly not explaining myself well, but to clarify I don’t have a pfSense install that has its own WiFi support. The pfSense is running the DHCP server to issue IPs to devices that connect to a soho WiFi AP. I am not clear how to have unknown devices grab an IP from the VLAN and the known devices to grab fixed IPs for normal LAN access. Ugh I’m sure it’s easy, just not getting the last step. I’m pretty sure you can’t have 2 DHCP servers on the same subnet so my original config didn’t work correctly.

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott
                last edited by

                When you create a VLAN, you can also configure the DHCP server to provide addresses to it. The address block must be different from the main LAN. You then configure the AP for the VLAN & 2nd SSID. When guests connect to the guest Wifi, they are connected to the VLAN and get a DHCP address from the VLAN range. I assume the AP supports multiple SSIDs and VLANs.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • F
                  fvultee
                  last edited by

                  Nope, my Netgear Orbi mesh WiFi system dos not support VLANs natively, that’s why I’ve been trying to figure out a workaround with the pfSense. I was thinking that I could also just block the guest dhcp IPs from bing able to talk to my other devices by making a block rule but that didn’t work either.

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @fvultee
                    last edited by

                    @fvultee said in Guest / Non-Guest Network with Separate DHCP and Firewall Rules?:

                    Nope, my Netgear Orbi mesh WiFi system dos not support VLANs natively, that’s why I’ve been trying to figure out a workaround with the pfSense. I was thinking that I could also just block the guest dhcp IPs from bing able to talk to my other devices by making a block rule but that didn’t work either.

                    I just noticed something I missed before:

                    (IE no contact with the MAC authorized devices)

                    PfSense cannot do that, as it has absolutely no effect on traffic between devices on the same subnet. PfSense is a router which means it only affects traffic that passes through it. The only way to prevent guest devices from contacting "authorized" devices is with separate SSID and VLAN.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.